On 01/22/2016 05:23 PM, Fabio Pedretti wrote:
Hi, I would like to do the following: -t nat -A POSTROUTING -i eth3 -j MASQUERADE but I get this error: iptables v1.4.21: Can't use -i with POSTROUTING So I am plannig to use: -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE However I find the latter, working solution less smarter than the first, non working. For example I should add rules for every network coming from that interface that may also change in the future. Is there a reason why -i is forbidden?
I think, the incoming interface information of a packet is not retained until the POSTROUTING chain. (only available upto INPUT/FORWARD chain).
Is there a better solution than using -s?
In the FORWARDING chain, you can mark the packets based on incoming Interface. Then use the mark to MASQUERADE the packets at the POSTROUTING chain. eg.,
-t nat -A FORWARD -i eth3 -j MARK --set-mark 0xffff -t nat -A POSTROUTING -m mark --mark 0xffff -j MASQUERADE (I hope this should work. However, I haven't tried this by myself.) Vignesh -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
